Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
 
Go Back   Zimbra - Forums > Zimbra Collaboration Suite > Installation
Reload this Page SSL certificates for IMAPS (993) and SMTPS (465); extra logging?

Welcome to the Zimbra - Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-28-2009, 11:47 AM
New Member
  
Posts: 4
Default SSL certificates for IMAPS (993) and SMTPS (465); extra logging?
I've inherited maintenance of a ZNE 5.0.13 server.

Services I want to offer:
-----------------------------
SMTP+AUTH+STARTTLS only on 25, and SMTP+AUTH+STARTTLS only on submission 587, SMTPS on 465 (for STARTTLS incapable clients); and, be absolutely certain no users send their password unencrypted -- so, forbid PLAINTEXT AUTH entirely. Obviously, I have to accept unencrypted delivery from other MTAs on 25.

IMAP+STARTTLS only on 143, IMAPS on 993 (for STARTTLS incapable clients like MacOS Mail.app); and, again, be absolutely certain no users send unencrypted credentials -- so, forbid PLAINTEXT AUTH on 143.

No POP3, period.


A few questions because I'm new to Zimbra, and the box is really only half configured, and I don't know where to look.


About certificates:
----------------------

The hostname is: "server.example.com".

All services run as, and the certificates are issued to, "mail.example.com". Means: https, imaps, smtp, smtps all run for users as "mail.example.com".

The CSR was not generated using Zimbra, these are old certificates we already have from other services.

I can see the installed certificate in the HTTP Admin Console.

We have installed the above commercial GeoTrust cert, key, their CA cert, and our CSR into /opt/zimbra/ssl/zimbra/commercial/commercial{_ca}.{crt,csr,key}.

1) Which Zimbra components use the "commercial" files? What is the significance of the "ca/" and "server/" directories and files?

2) Must the commercial.key file be unencrypted, e.g. password-less? I assume so.

3) Permissions on the cert related files are 644. From the wiki, I believe this is incorrect; they should be 740?

4) From /var/log/mail.log, postfix wants /opt/zimbra/conf/smtpd.key. How do I make it happy? Should I copy/link the password-less commercial.key file here?

5) I also installed the OS package containing root certificates. Is this relevant?


Logging/Debugging
-------------------------

The best (certified) wiki article I can find on this is for 4.5.

It seems I must read /var/log/mail.* for postfix, but everything else is under /opt/zimbra/logs?

In /opt/zimbra/logs/mailbox.log (I guess it's the main log file), I don't see clients connecting to check their IMAP (e.g. "Get new mail" on a client doesn't generate any log entries). Zimbra *does* log a client changing IMAP folders; e.g. on client, viewing INBOX, click "Sent Mail", gives me a log hit.

1) Where do I turn up IMAP logging to log all IMAP transactions?



Sorry if lots of this covered in various places. Please point me docs if it's easier. I have some specifics tasks I want to cover quickly, so I do appreciate any direct answers. I'm happy to add responses to any wiki pages as necessary.


Thanks in advance!
Reply With Quote

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

Zimbrablog.com


Home - Blog - Contact Us - Archive - Top